Glossary / Social Engineering

Social Engineering

The fraudulent practice of tricking social media users into revealing sensitive personal data or sending money. Types include romance scams, sextortion, imposter scams and more.

What is Social Engineering?

Social engineering is the fraudulent practice of tricking social media users into revealing sensitive personal data or sending money to an unintended recipient.

Social engineering attacks use emotion and familiarity to trick users into doing something they otherwise wouldn’t do. An example of this is when someone calls you up pretending to be your boss asking you to do something important. This is because people tend to trust their bosses more than other people. So if you get called by someone who says he/she is your boss, you'll probably do what they say without thinking too much about it.

Social Engineering Techniques

When malware creators use social engineering techniques, they can lure an unwary user into launching an infected file or opening a link to an infected website. Many email worms and other common types of malware are spread via social engineering schemes.

Social engineering is the act of exploiting human weaknesses to gain access to personal information and protected systems - and is used by criminals to get the information they want. Hackers use social engineering to get passwords, but it is harder to do this than to hack them. Thus, cybercriminals use social engineering to cleverly trick people into giving them personal information or money.

Cybercriminals like to take advantage of the fact that humans are the weak links in the security chain. We can be fooled by people who are not what they seem. We should always check credentials before letting someone into our homes or businesses - and of course, this means being very aware and careful regarding which emails, texts, and other forms of communication we open and respond to.

How Does Social Engineering Work?

Social engineers use a variety of techniques to perform attacks. First, they do research and reconnaissance on the targets. For example, if the target is an enterprise organization (such as a financial institution), they might gather intelligence about the organizational structure, internal practices, common lingo used by employees, and potential business partners. Once they've done this, they'll try to gain initial access to the system. Next, they'll try to get into the systems of the people who have initial access to the system, such as a security officer or receptionist. Then they'll try to learn more about how the company operates and what they're doing. Finally, they'll try to exploit any weaknesses they find.

How to Spot Social Engineering Attacks

Social engineering attacks often come from people who want to get into your personal information. You must be aware of what you're doing online and offline. Don't give out any personal information without thinking about the consequences. A suspicious email address could be an attempt by hackers to get you to open a malicious attachment or download malware. Be careful about opening attachments that appear to be from friends or coworkers. Ask the sender if they sent the email. Human error is the weak link in a websites' security.

Types of Social Engineering Attacks and Scams

  • Phishing: An attacker sends emails pretending to be legitimate companies or institutions. Users respond with sensitive data, allowing the attacker to steal private information. The attacker may even pretend to be a charity. In addition to spelling and grammar, suspicious attachments, poor layout, and inconsistent formatting are additional indicators of potential phishing attacks. These are all red flags that indicate that there could be malicious activity taking place.

  • Vishing: is a social engineering attack that leverages voice communication techniques. VoIP technology makes it easy to spoof caller ID, which can exploit people's misplaced trust in the safety of phone services. VoIP also makes it easy to broadcast audio content to an unsuspecting victim.

  • Smishing: is a form of Social Engineering that exploits SMS messages.

Text messages can include links to such things as websites, emails, etc. When clicked, this may automatically open a browser, email, or other application. Users may be tricked into clicking these links and falling victim to malicious activities.

Common Phishing Attack Examples

There are many giveaways regarding phishing.

  • Suspicious sender's address: The sender's address may imitate a legitimate business, and thereby fool someone into thinking it is real. Cybercriminals often use an email address that closely resembles one from a reputable and popular company by altering or omitting a few characters. Even if they use the logo of a legitimate business, look at the return email address to check for misspellings.

  • Generic greetings and signatures: Both a generic greeting such as “Dear Valued Customer” or “Sir/Ma'am” and a lack of contact information in the signature block are strong indicators of a phishing email. We have all received humorous emails, complete with bad grammar, from distant parts of the world indicating that you have been left a huge amount of money from a member of nobility - only requiring a small payment on your behalf to "unlock" and release the funds to you. A trusted organization will normally address you by the name you provide for transactions on that particular website and provide their contact information.

  • Spoofed hyperlinks and websites: Try and put your cursor over any links in the body of the email, and you will discover that the links do not match the corresponding text. Malicious websites may look identical to a legitimate one, but the URL will use a variation in spelling or a different domain (e.g., .com vs. .net), which is very easy to overlook. Additionally, cybercriminals may use a URL shortening (such as Bit.ly) service to hide the true web destination/address of their malicious link.

  • Spelling and layout: Phishing will often contain poor grammar and sentence structure, misspellings, and inconsistent formatting - all of which are other indicators of phishing attempts. Reputable institutions have dedicated professionals that produce, verify, and proofread customer correspondence before sending it to customers.

  • Suspicious attachments: An unsolicited email requesting a user download and open an attachment is a common delivery technique for sending malware. Cybercriminals often use a false sense of urgency ("You Have Been Selected!" "Act Now to Save 50%") or importance ("Urgent Response Required") to help persuade a user to download or open an attachment without giving it a good examination first.

Educate your employees on how to avoid social engineering scams

Since humans are the target for social engineering scams, employees need to be educated on how to defend themselves from these attacks. The best form of prevention against social engineering attacks is employee training. Teaching your employees how to recognize the previously listed social engineering tactics and avoid them is of the utmost importance.

While machines can be tricked, people are highly susceptible to falling for many manipulative tactics. Using trusted antivirus software to flag suspicious messages or websites is vital, as well.

  • Don't open any emails promising you prizes or notifications of winning.

  • Scrutinize any email attachment before opening.

  • Don't give out personal/business information over the phone unless you have called the valid and previously company phone number.

  • Use Multi-Factor Authentication (MFA)

  • Be careful about downloading apps from unknown sources - Spam emails can be very dangerous.

  • Contact IT if you're unsure about anything.

In Conclusion

Intel 471's range of intelligence products can help security teams defend against threats such as social engineering and mitigate risks from the underground.

Intel 471’s Adversary Intelligence provides security teams with visibility into the cybercrime underground, including insight into actor tactics, techniques, and procedures (TTPs), motivations, and operations.

Users also can monitor for compromised credentials proactively via Intel 471's Credential Intelligence service, track weaponized malware via our Malware Intelligence and determine patch prioritization of vulnerabilities via our Vulnerability Dashboard.